📋 Prerequisites
🎯 Affected Service(s)
Controller Service
🚦 Impact/Severity
Minor inconvenience
🐛 Bug Description
In >=v0.9.7, the controller pins declarative agent images using digests (registry/repository@sha256:...).
While the registry and repository are configurable at runtime via --image-registry and --image-repository, the digest itself is injected at controller link time from upstream images.
https://github.com/kagent-dev/kagent/blob/a766d22c96a4d204ed01935f72e7abf903dcf608/scripts/controller-digest-ldflags.sh
There is currently no runtime override for the digest, and --image-tag is silently ignored for declarative agents. As a result, in private/mirrored registry setups, the controller generates image references like:
my-registry.example.com/my-org/kagent/app@sha256:<UPSTREAM_DIGEST>
If the mirrored image does not retain the exact upstream manifest digest (e.g. due to rebuilds or recompression), all agent pods fail with: ImagePullBackOff / manifest unknown
🔄 Steps To Reproduce
- Prepare a private registry (e.g. ECR)
- Deploy the controller
- Create a declarative Agent
- Inspect the generated Deployment.
kubectl get deploy <agent-name> -o yaml
🤔 Expected Behavior
When --image-registry / --image-repository (Helm: agents.image.*) point to a private registry, the controller should emit an image reference that is resolvable in that registry, e.g.:
- honoring --image-tag, or
- allowing a runtime-provided digest that exists in the private registry
📱 Actual Behavior
- Image references are constructed using:
- runtime registry + repository
- link-time upstream digest
- --image-tag has no effect for declarative agents
Result: invalid image references in private registries
💻 Environment
- AWS EKS - eks.29
- Kubernetes - 1.33
- Kagent: 0.7.23
- Model: Bedrock - Anthropic Claude Sonnet 4.5
🔧 CLI Bug Report
No response
🔍 Additional Context
No response
📋 Logs
📷 Screenshots
No response
🙋 Are you willing to contribute?
📋 Prerequisites
🎯 Affected Service(s)
Controller Service
🚦 Impact/Severity
Minor inconvenience
🐛 Bug Description
In >=v0.9.7, the controller pins declarative agent images using digests (registry/repository@sha256:...).
While the registry and repository are configurable at runtime via --image-registry and --image-repository, the digest itself is injected at controller link time from upstream images.
https://github.com/kagent-dev/kagent/blob/a766d22c96a4d204ed01935f72e7abf903dcf608/scripts/controller-digest-ldflags.sh
There is currently no runtime override for the digest, and --image-tag is silently ignored for declarative agents. As a result, in private/mirrored registry setups, the controller generates image references like:
my-registry.example.com/my-org/kagent/app@sha256:<UPSTREAM_DIGEST>If the mirrored image does not retain the exact upstream manifest digest (e.g. due to rebuilds or recompression), all agent pods fail with:
ImagePullBackOff / manifest unknown🔄 Steps To Reproduce
kubectl get deploy <agent-name> -o yaml🤔 Expected Behavior
When --image-registry / --image-repository (Helm: agents.image.*) point to a private registry, the controller should emit an image reference that is resolvable in that registry, e.g.:
📱 Actual Behavior
Result: invalid image references in private registries
💻 Environment
🔧 CLI Bug Report
No response
🔍 Additional Context
No response
📋 Logs
📷 Screenshots
No response
🙋 Are you willing to contribute?